Credential Injector Filter: OAuth2 client credential extension#33702
Credential Injector Filter: OAuth2 client credential extension#33702wbpcode merged 55 commits intoenvoyproxy:mainfrom
Conversation
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
| # | ||
| # Access loggers | ||
| # | ||
|
|
There was a problem hiding this comment.
oh, I will fix unnecessary formatting.
vikaschoudhary16
force-pushed
the
client-cred-oauth2
branch
from
446b6af to
dfdab41
Compare
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
|
I will work on |
| timer_ = dispatcher_->createTimer([this]() -> void { asyncGetAccessToken(); }); | ||
| ENVOY_LOG(debug, "onGetAccessTokenSuccess: Token fetched successfully, expires in {} seconds.", | ||
| expires_in.count()); | ||
| timer_->enableTimer(expires_in / 2); |
There was a problem hiding this comment.
I think the things about timer could be simper. You completely needn't create the timer again and again. You can only create one and enable/disable it according your requirement here.
wbpcode
left a comment
wbpcode
left a comment
There was a problem hiding this comment.
This look great overall. Only a comment about the retry timer. Thanks for working on this.
|
/wait |
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
wbpcode
left a comment
wbpcode
left a comment
There was a problem hiding this comment.
Thanks for you quick response and update. Some comments are added. Please note the possible lifetime problem of the in-flight-request.
| return absl::NotFoundError("Failed to get oauth2 token from token provider"); | ||
| } | ||
|
|
||
| headers.setCopy(Envoy::Http::CustomHeaders::get().Authorization, token); |
| thread_local_cluster->httpAsyncClient().send( | ||
| std::move(msg), *this, | ||
| Envoy::Http::AsyncClient::RequestOptions().setTimeout( | ||
| std::chrono::milliseconds(PROTOBUF_GET_MS_REQUIRED(uri_, timeout)))); |
There was a problem hiding this comment.
What will happen if the client was destructed because the xDS updating and then the a response is received from remote server?
I think you may need to store the in-flight-request here and use the result to cancel any pending request when the client is destructed.
There was a problem hiding this comment.
thanks for pointing out. Addressed it.
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
|
/docs |
|
Docs for this Pull Request will be rendered here: https://storage.googleapis.com/envoy-pr/33702/docs/index.html The docs are (re-)rendered each time the CI |
phlax
left a comment
phlax
left a comment
There was a problem hiding this comment.
docs lgtm, thanks again @vikaschoudhary16 for working on this
handing over to @wbpcode and @adisuissa for signoff
wbpcode
left a comment
wbpcode
left a comment
There was a problem hiding this comment.
Thanks for your hard work. The code is fine to me. Most comments are for tests.
|
|
||
| #include "test/mocks/event/mocks.h" | ||
| #include "test/mocks/server/factory_context.h" | ||
| #include "test/mocks/thread_local/mocks.h" | ||
| #include "test/mocks/upstream/cluster_manager.h" | ||
|
|
||
| #include "gtest/gtest.h" | ||
|
|
||
| namespace Envoy { | ||
| namespace Extensions { | ||
| namespace Http { | ||
| namespace InjectedCredentials { | ||
| namespace OAuth2 { |
There was a problem hiding this comment.
I think all these oauth2 tests should be placed in the test/extensions/http/credential_injector/oauth2?
And seems the unit tests are pretty simple (although the integration tests are great)
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
Signed-off-by: Vikas Choudhary <choudharyvikas16@gmail.com>
|
Thanks a lot @wbpcode @adisuissa @phlax for guidance and feedback. really appreciate!! |
4 participants
Commit Message:
This PR is follow up to #30850 and is adding oauth2(client credential grant) extension. At a high level, oauth2 extension has
TokenProviderwhich runs on main thread to fetch token from oauth server and sets tls slot with the received token. All worker threads then access this token from tls to inject requestHeaders during decodeHeaders.Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Fixes commit #PR or SHA]
[Optional Deprecated:]
[Optional API Considerations:]